Canada’s Office of the Privacy Commissioner has issued its report on the customer information data breach for Ashley Madison discovered in July, 2015. The Privacy Commissioner’s office launched its investigation a month later, under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Canada’s Privacy Commission worked together with Australia’s Information Commission, which also issued an identical report on the findings of the joint investigation.

The Compliance Agreement between the Office of the Privacy Commissioner and Avid Life Media, the owners of Ashley Madison, is considered to be legally binding. The Agreement outlines steps Ashley Madison must take, including:

• enhancing privacy safeguards;
• amending information retention practices;
• improving information accuracy; and,
• increasing transparency.

Ashley Madison was found to have used a fictitious security trustmark, and concluded that meant individuals’ consent was improperly obtained.

Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award.” ALM officials later admitted the trustmark was their own fabrication and removed it.

The Privacy Commissioner also identified important lessons for all organizations to consider. The Privacy Commissioner’s website organizes some of the key takeaways from the investigation, using the following headings.

• General
  • Harm extends beyond financial impacts.
  • Safeguards should be supported by a coherent and adequate governance framework.
• Safeguards
  • Documentation of privacy and security practices can itself be part of security safeguards.
  • Use multi-factor authentication for remote administrative access.
• Deletion and Retention
  • There is a high bar associated with charging a fee for deletion.
  • Retention policies should be based on a demonstrable rationale and timeline.
• Accuracy
  • The level of accuracy required is impacted by the foreseeable consequences of inaccuracy, and should also consider interests of non-users.
• Transparency
  • False or misleading statements may impact the validity of consent.
  • Omission or lack of clarity of material statements may also impact the validity of consent.

Each of these items is more completely described with a paragraph and links for further information to aid in corporate best practices and compliance with the legislation. Among the more interesting items was the consideration that a lack of email address verification could allow “the creation of a potentially reputation-damaging fake profile for an email address owner.”

Ashley Madison‘s website encourages its members to “find your moment” while the company tries to promote discretion, promising to help its members keep their private life private.

A year after its data breach, the lessons from Ashley Madison need to help other firms ensure that they won’t find their own moment in the spotlight, and keep their customers’ private information private.

The CRTC released its 2016 report comparing the price of telecommunications services in Canada to “select foreign jurisdictions.” Among the charts that seemed to attract the most interest from the media was the steady increase in entry level wireless rates in Canada:

Looking at the point of inflection in 2013, I asked in a tweet earlier today, “Does anyone wonder what might have caused entry-level wireless prices to go up?”

In its zeal to appeal to consumers, the government has introduced measures that are actually increasing the cost of your phone service, not decreasing them.

I wrote about some of these a few years ago in a piece called “The cost of regulation“. I thought it might be time for an update.

Here are just some of the measures:

• Removal of option for 3-year amortization on smartphones: It’s simple math: A $600 subsidy amortized over 2 years is 50% more than a $600 subsidy recovered over three.
• 15 day trials: Under the Wireless Code, customers can get a new $1000 phone from a wireless carrier store and return it 15 days later, no questions asked. The wireless carrier now is stuck with a used phone that it cannot easily sell and it cannot charge a restocking fee. This adds costs to the carriers that are not incurred by competing retailers.
• Banning paper bill charges: The government was shown that adoption of electronic billing was an order of magnitude higher in companies that pass on the increased cost of sending paper bills. Phone companies offered exemptions for people without internet, for seniors, and a number of other classes, including people with disabilities and veterans of the Canadian Armed Forces. Paper bills cost more, so your prices went up.
• Disconnection rules: Under the Wireless Code, the CRTC has dramatically increased the amount of time that a wireless service provider has to continue to provide service to a customer who is not paying. The rules are reminiscent of the disconnection regime from a monopoly wireline world, when the local phone company was the only communications service provider. Is it unnecessarily raising the cost of service?
• Regulatory proceeding cost awards: The Affordable Access Coalition filed a application for nearly half a million dollars to cover the cost of its participation in the CRTC’s recent Basic Service Obligation proceeding. Open Media asked for $170,000 for the same proceeding. That proceeding is just one of the hearings that attract cost awards, and it appears to be on track to set new records for the level of costs. If approved, these will be charged to all the telephone companies and can be expected to be recovered in your monthly bills.

Frequently, there are unintended consequences to measures that would or should have been predictable if only a bit of serious analysis was undertaken.

The CRTC has launched a proceeding to review the Wireless Code, with submissions due September 26 and an oral hearing in February 2017.

Will groups that represent the public interest seek to relax some of the regulatory measures that drive up costs for consumers?

A Bloomberg article about the impact of system failures at Delta Airlines earlier this week said “Delta System Failure Marks Wake-Up Call for Airline Industry“.

In fact, I suspect Boards of Directors in every industry, not just the airline industry, are asking their CEOs for an assessment of the risk of their systems having a similar system-wide failure.

The Wall Street Journal is reporting that Delta’s CEO, Ed Bastien, is taking full responsibility for the outage:

Over the past three years, the nation’s No. 2 airline by traffic has spent “hundreds of millions” in upgrades and systems, including $150 million this year alone. Delta earlier this year named a new chief information officer and has brought in new leaders for its information technology and infrastructure team.

“It’s not clear the priorities in our investment have been in the right place,” Mr. Bastian said. “It has caused us to ask a lot of questions which candidly we don’t have a lot of answers for.”

Years ago, I spent a fair bit of time with an external auditor who wanted to understand more about how our network was configured. We talked about risks and ways to mitigate those risks. When negotiating fibre swaps, we looked at detailed maps to ensure that we were really getting improved physical diversity, not sharing the same railroad tracks, bridges, etc. As a result, physical failures from fibre cuts or power outages often have backups to restore service or, at worst, will generally result in a limited, somewhat localized outage.

Software changes often present the most substantial risk, with updates being rolled out system wide over a short period of time. How often have we seen failures arise from software failures that weren’t detected in the labs and did not materialize until subjected to peak traffic loads?

It isn’t enough to spend money on system resilience. Delta shows that money needs to be spent in the right places.

As more devices get connected in the Internet of Things, and with autonomous drones and cars, companies need to take a fresh look at system resilience, understanding the risk of failures and the costs that can arise.

Not every system has to be up all the time. But does your Board understand the cost of failure?

Sara Diamond, President and Vice-Chancellor of OCAD, and Karel Vredenburg, head of IBM Studios Canada, wrote a piece in the weekend Globe and Mail, entitled “There’s no innovation agenda without design thinking“.

Today, competitive success is determined by the ability to understand human needs and desires and to deliver richly imagined ways of addressing them. Many organizations recognize the importance of innovation, but they don’t know how to achieve it. The answer is design.

Now, of course the head of Ontario’s college of art and design will say that the “answer is design.” But there is merit to considering the need to include the arts, humanities and social sciences together with the typical focus on science, technology, engineering and mathematics.

A few years ago, I wrote “Is your recruiting smart enough?” in which I extolled the virtues of increased diversity in hiring. I recall that at Bell Laboratories, we had geography and music graduates working alongside engineering and mathematics grads as we designed new capabilities for the AT&T long distance network. Our customers weren’t all engineers; we needed to make sure that human factors were part of feature design work, not just engineering elegance. I wrote about how we used to recruit at Bell Labs in a post “A diversity of views“.

We need to do better leveraging the diversity that makes Canada such a great country. Our technology companies need to do a better job hiring from non-traditional areas including the arts, humanities and social sciences. And we should do a better job reading resumes from our military veterans, leveraging their experience and leadership develop under the most trying conditions.

As Diamond and Vredenburg write, “This would be a profoundly Canadian tack, using our creative talent and culturally diverse know-how to effectively address and build markets and ensure a competitive advantage against purely STEM plays in other jurisdictions.”

The CRTC has launched a Review of the Wireless Code, a proceeding that will culminate with an oral hearing in early February 2017.

The Wireless Code was created in 2013, “to address the clarity and content of mobile wireless service contracts and related issues”. The CRTC says its objectives are to:

• make it easier for individual and small business customers to obtain and understand the information in their wireless service contracts;
• establish consumer-friendly business practices for the wireless service industry where necessary; and
• contribute to a more dynamic wireless market.

In establishing the Wireless Code, the Commission had committed to measuring and reviewing the Code’s effectiveness within three years of its implementation.

392. The Commission considers it appropriate to develop an evaluation plan for to evaluate the effectiveness of the Wireless Code, including the WSPs’ compliance reports referred to above. The results of this evaluation will form part of a formal review of the Wireless Code following its implementation. The Commission considers that a three-year time frame for this review is appropriate to (i) monitor compliance with the Code, (ii) ensure the Code’s effectiveness, and (iii) correct any issues that may develop during the implementation process.

In the current review, the CRTC has asked for detailed comments on a range of issues:

• The effectiveness of the Wireless Code;
• The evolution of the retail mobile wireless market since the implementation of the Wireless Code;
• The content and wording of the Wireless Code;
• Consumer awareness of the Wireless Code;
• How the Wireless Code’s effectiveness should be assessed and reviewed going forward; and,
• The effectiveness of the Wireless Code.

But, the CRTC has already determined that a number of issues are out of scope, including “rates and competitiveness of the marketplace.”

What is less clear is whether the CRTC will consider the costs of the Wireless Code itself: how much are consumers paying for some of the provisions of the code?

Three years ago, I wrote about some of these “costs of regulation“, including the increased monthly charges associated with having to recover the cost of a device over 2 years instead of 3. There are other provisions in the Wireless Code that raise costs for consumers.

For example, the Wireless Code specifies a 15 day “trial period”:

250. Accordingly, the Commission considers that a requirement to provide a trial period lasting a minimum of 15 calendar days for contracts under which the consumer is subject to an early cancellation fee represents an appropriate balance between the needs of consumers and the burden that such a requirement places on WSPs.

As a result, if you buy a phone from a wireless carrier, you can return it within 15 days and cancel the contract. The carrier has to accept the phone back and cannot charge a restocking fee. The carrier is now stuck with a used device. Note that if you buy the device from a big box retailer, there is no obligation for the retailer to take back your used device. The cost to the carriers of these trials is being borne by the overall subscriber base.

Measuring the effectiveness of the Wireless Code is important. Will the CRTC seek evidence to help measure the cost-effectiveness of each provision of the Wireless Code?